Configuring An Ipsec Policy - HP 3600 v2 Series Security Configuration Manual
Hide thumbs
Also See for 3600 v2 Series:
- Command reference manual (510 pages) ,
- Configuration manual (449 pages) ,
- Installation manual (62 pages)
Table of Contents
Advertisement
To do...
Enter system view
Create an IPsec proposal and enter its
view
Specify the security protocol for the
proposal
Specify the
security
algorithms
Specify the IP packet encapsulation
mode for the IPsec proposal
NOTE:
Changes to an IPsec proposal affect only SAs negotiated after the changes. To apply the changes to
•
existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up using the
updated parameters.
Only when a security protocol is selected, can you configure security algorithms for it. For example, you
•
can specify the ESP-specific security algorithms only when you select ESP as the security protocol. ESP
supports three IP packet protection schemes: encryption only, authentication only, or both encryption
and authentication.
Configuring an IPsec policy
IPsec policies define which IPsec proposals should be used to protect which data flows. An IPsec policy
is uniquely identified by its name and sequence number.
The switch supports only manual IPsec policies. The parameters of a manual IPsec policy are all
configured manually, such as the keys and the SPIs.
Configuration guidelines
1.
To ensure successful SA negotiations, follow these guidelines when configuring manual IPsec policies:
Within a certain routed network scope, the IPsec proposals used by the IPsec policies on all routers
•
must have the same security protocols, security algorithms, and encapsulation mode. For OSPFv3,
the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be
Use the command...
system-view
ipsec proposal
proposal-name
transform { ah | ah-esp |
esp }
Specify the
esp encryption-algorithm
encryption algorithm
{ 3des | aes [ key-length ] |
for ESP
des }
Specify the
esp
authentication
authentication-algorithm
algorithm for ESP
{ md5 | sha1 }
Specify the
ah
authentication
authentication-algorithm
algorithm for AH
{ md5 | sha1 }
encapsulation-mode
{ transport | tunnel }
265
Remarks
—
Required
By default, no IPsec proposal exists.
Optional
ESP by default
Optional
DES by default
Optional
MD5 by default
Optional
MD5 by default
Optional
Tunnel mode by default
Transport mode applies only when
the source and destination IP
addresses of data flows match those
of the IPsec tunnel.
IPsec for IPv6 routing protocols
supports only the transport mode.
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
